公开(公告)号：US20200036534A1

公开(公告)日：2020-01-30

申请号：US16469301

申请日：2017-12-12

Applicant: GEMALTO SA

Inventor： Alsasian ATMOPAWIRO ,  Thi Tra Giang DANG

IPC: H04L9/32 ,  H04L9/30 ,  H04L9/12

Abstract: The present invention relates to a method of secure generation by a client device and a server device of an RSA signature of a message to be signed with a private exponent component d of an RSA key (p, q, N, d, e), wherein said client device stores a client device private exponent component dA, a client value, and a client dynamic offset, and said server device stores a server device private exponent component dB, where dB=d−dA modulo phi(N), a server value, a server dynamic offset and a failure counter, comprising: a. receiving from the client device a client part of said RSA signature (HS1) of said message to be signed, after incrementing its client value (pvA) by a first predetermined step E, from the client device private exponent component and from an updated client dynamic offset function of said client dynamic offset and of said client value, b. setting said failure counter to a first default value, c. incrementing said server value (pvB) by a second predetermined step (E′), d. generating a server part of said RSA signature (HS2) of said message to be signed, from the server device private exponent component and from an updated server dynamic offset function of said server dynamic offset and of said server value, e. generating said RSA signature by combining said client part of said RSA signature (HS1) and said server part of said RSA signature (HS2), f. checking if the generation of the RSA signature was a failure and when it was a failure, incrementing said failure counter and g\ iteratively repeating above steps c\ to f\, until said RSA signature is successfully generated or said failure counter reaches a first predetermined threshold S.

公开(公告)号：US20200084034A1

公开(公告)日：2020-03-12

申请号：US16469526

申请日：2017-12-12

Applicant: GEMALTO SA

Inventor： Alsasian ATMOPAWIRO ,  Thi Tra Giang DANG

IPC: H04L9/30 ,  H04L9/32

Abstract: The present invention relates to a method of secure generation by a client device A and a server device B of at least a RSA current signature and a RSA next signature with a private exponent component d of an RSA key, comprising: •a handshake phase (P1) comprising: a. receiving (S1) a handshake request comprising a hash of the next client value (pvA_next), b. checking (S2) the value of the next client value (pvA_next) and: —when the next client value (pvA_next) equals a first default value (DUMMY): generating (S3) a new value (x) and updating the next server value (pvB_next) with the generated new value, and sending (S4) to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), —when the next client value (pvA_next) is not equal to said first default value (DUMMY): checking the value of the next server value (pvB_next) and when the next server value (pvB_next) is equal to a second default value (NULL) and the next client value (pvA_next) equals the current server value (pvB): sending to the client device (A) a fix request; and when the next server value (pvB_next) is equal to said second default value (NULL) and the next client value (pvA_next) is not equal to the current server value (pvB), suspending performing said method. •a signing phase (P2) performed by the server device (B) after the handshake phase and generating the current signature; said signing phase comprising: a. generating (S5) a server part of the current RSA signature (HS2) from the server device private exponent component (dB) and from an updated server dynamic offset (hB′) function of the current server dynamic offset (hB) and of a server shift value (cB), said server shift value (cB) being function of the current server value (pvB), such that the current RSA signature can be generated by combining said server part of the current RSA signature (HS2) and a client part of the current RSA signature (HS1) generated by the client device (A), b. setting (S8) the current server dynamic offset (hB) to the updated server dynamic offset (hB′) value, the current server value (pvB) to the value of the next server value (pvB_next) and the next server value (pvB_next) to a second default value (NULL), •performing the handshake phase and the signing phase with the next signature as current signature, for generating the next signature.